RBL lookups are being blocked

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

RBL lookups are being blocked

Post by dciwebworks » Mon May 05, 2014 8:10 am

Here is part of a header for a SPAM that cleared as HAM, with the IP address listed in RBLs that we employ with MagicSpam and WHM:

Content analysis details: (1.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/Dns ... nsbl-block
for more information.

NEW ADDITION: Elsewhere in the header I get the message: X-Ham-Report:

Spam detection software, running on the system "vps.### #.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

I am seeing SPAMHAUS and BARRICUDA listed IP addresses getting passed as HAM to user inboxes; they have this same notice. Can you assist in helping me understand how to get around this to block the SPAM more effectively? Thank you.
Last edited by dciwebworks on Mon May 05, 2014 12:34 pm, edited 1 time in total.
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1101
Joined: Tue Oct 28, 2008 2:27 pm

Re: RBL lookups are being blocked

Post by magicspam » Mon May 05, 2014 10:50 am

Hello Brian,

Thank you for the post.

The message indicates that a DNSRBL list that is enabled was not reachable by your SpamAssassin at the time of the check. It is most likely your server has reached the maximum allowed lookups against one of the DNSRBL lists enabled in your SpamAssassin's settings.

We recommend utilizaing the IP Reputation list in the MagicSpam settings instead of using SpamAssassin's DNSRBL settings.

If you still have the original spam message, please forward it as an attachment to support@magicspam.com and we can examine it to provide further suggestions.

Please let us know if you have any questins.

dciwebworks
Posts: 17
Joined: Tue Nov 26, 2013 12:50 pm

Re: RBL lookups are being blocked

Post by dciwebworks » Wed May 07, 2014 10:17 am

Thank you for your assistance.

Which other lists (other than the "recommended") should I use in the IP reputation configuration?

The RBL that is being blocked has a pretty consistent record of finding real spam, otherwise missed.

What's really bothering me is that the WHM Exim is delivering mail that eminates from an IP that is on BOTH SPAMCOP and Spamhaus zen, which I am subscribed to, per my earlier email.

Is SpamAssassin "processing" this email before it can run through the verifications, thereby bypassing the RBL checks configured in Exim?
Brian Clancy
DCIWebworks
Denver, CO

magicspam
Posts: 1101
Joined: Tue Oct 28, 2008 2:27 pm

Re: RBL lookups are being blocked

Post by magicspam » Thu May 29, 2014 4:47 pm

Hello Brian,

While we have answered your questions through email, we would like to mention on the forum here that we recommended enabling the following items to address the spam issues you reported:

- enabling MIPSPACE in the IP Reputation list
- enableing the rule "Block Mail Servers on Dynamic/Dial-up Addresses"

With regards to the agressiveness of MIPSPACE reputation list, we have been talking with the MIPSPACE operators. They are currently planning on breaking up the single list into multiple subsets. This should allow for greater customization and fewer false positives, such as those you experienced. For more information please see the link below

http://mipspace.com/ratings.php

About the dynamic-address rule, it uses the following standards to determine if the email is coming from a spam
source.

http://www.linuxmagic.com/best_practice ... e_dns.html


-- MagicSpam Support Team --

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 4 guests